Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Clean? Been Working On This For Days...


  • This topic is locked This topic is locked
10 replies to this topic

#1 clueless in kansas

clueless in kansas

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 03 May 2007 - 11:17 AM

Hello all and first - thanks in advance for any help you can offer. By my 'chosen name' here, you'll see that my experience with viruses and all 'that' is limited! I'm 'clueless' and am hoping that by following directions, researching, scanning, fixing, quarantining, and all the other things I've done - that I'm possibly CLEAN!!

Here's my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:12:06 AM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Erin\Desktop\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot -

Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {60CD09B2-746D-4A4E-8184-C7F4D561012F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\uoeqflsi.dll",realset
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\avgas.exe" /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: xxywwxy - xxywwxy.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: MSIEUpdater_1 (Microsoft IE Updater_1) - Unknown owner - C:\Documents and

Settings\Erin\ie_updater.exe (file missing)



ALL of the above is truly greek to me - :flowers: :huh: !! Thanks to all for being here!!! :thumbsup:

Erin

BC AdBot (Login to Remove)

 


m

#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 03 May 2007 - 11:24 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

From your log it appears that you are missing one important program: an antivirus. This is somewhat suicidal in today's digital world. Without one you are at a high-risk of reinfection; while I can try to sort your problem out, if you have no protection, the infections will keep resurfacing.
Here are some great free antivirus programs:
Antivir, Avast!, AVG, Bitdefender Free
Install one of these, then run a full scan, letting it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

I have also noticed that you do not appear to have a firewall installed. This is an essential piece of software that acts as an extra layer of security, which restricts access to your computer from the outside world.
Therefore, please download one of these free firewalls:
Zone Alarm
Kerio
If you would like some more information about firewalls and how to use them effectively, take a look here.

The current formatting of your log makes it difficult to read, so open up Notepad.
On top, click Format then uncheck "Word Wrap".
Please post me a new HijackThis log now this option has been turned off.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 clueless in kansas

clueless in kansas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 03 May 2007 - 12:09 PM

Hi Charles and thanks for your speedy reply! I do use AVG but have it 'disabled' at the moment (or did so when I was running all the tools). I'll 're-install' now. I also 'disabled' my firewall during the scans and troubleshooting and will do that also.

Lastly - here's a new HJT file (I hope in the desired format):

Logfile of HijackThis v1.99.1
Scan saved at 11:12:06 AM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Erin\Desktop\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {60CD09B2-746D-4A4E-8184-C7F4D561012F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\uoeqflsi.dll",realset
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: xxywwxy - xxywwxy.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: MSIEUpdater_1 (Microsoft IE Updater_1) - Unknown owner - C:\Documents and Settings\Erin\ie_updater.exe (file missing)

Thank you!!!

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 03 May 2007 - 03:59 PM

Hello again,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Don't run it yet.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {60CD09B2-746D-4A4E-8184-C7F4D561012F} - (no file)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - (no file)
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\uoeqflsi.dll",realset
O20 - Winlogon Notify: xxywwxy - xxywwxy.dll (file missing)
O23 - Service: MSIEUpdater_1 (Microsoft IE Updater_1) - Unknown owner - C:\Documents and Settings\Erin\ie_updater.exe (file missing)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following files (if present):

C:\WINDOWS\system32\uoeqflsi.dll
C:\Documents and Settings\Erin\ie_updater.exe


We need to do a search for a file. Navigate to:
Start | Search | For Files and Folders.
Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.
Paste this into the Search for files and folders named box:

xxywwxy.dll

If you find any examples of this file, please remove them.

Copy and paste the following text into Notepad:
sc stop "Microsoft IE Updater_1"
sc delete "Microsoft IE Updater_1"
Save this as "services.bat" Choose to save as *all files and place it on your Desktop.
Double-click services.bat.

Open the extracted SDFix folder and double click runThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any key and it will restart the PC.
When the PC restarts the fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Scan again with HijackThis and post back a new log, along with the SDFix report.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 clueless in kansas

clueless in kansas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 03 May 2007 - 08:23 PM

I've followed all the steps, and here is the two logs:


SDFix: Version 1.81

Run by Erin - Thu 05/03/2007 - 20:04:44.23

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------


Checking For Files with Hidden Attributes:

C:\Documents and Settings\Erin\Application Data\OpenOffice.org2\user\registry\cache\org.openoffice.Office.Commands.dat
C:\Documents and Settings\Erin\Application Data\OpenOffice.org2\user\registry\cache\org.openoffice.Office.Common.dat
C:\Documents and Settings\Erin\Application Data\OpenOffice.org2\user\registry\cache\org.openoffice.Office.Compatibility.dat
C:\Documents and Settings\Erin\Favorites\MSN.com.url
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\cpiqrtf5.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\cpitv9.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\cutout.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\gtv9.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\MFC71.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\MiniQD6.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\mixfix.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\msvcp60.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\msvcr71.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\pibase.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\picore.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\piedit.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\pimix.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\piphp.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\piproj.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\pisctv.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\piservr5.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\pitask.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\piutil.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\piwa.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\sbox9.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\stv9.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\workssvc.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\1033\dwintl.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\1033\pieres.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\1033\pitres.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\cpiqrtf5.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\cpitv9.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\cutout.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\gtv9.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\MFC71.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\MiniQD6.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\mixfix.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\msvcp60.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\msvcr71.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\pibase.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\picore.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\piedit.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\pimix.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\piphp.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\piproj.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\pisctv.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\piservr5.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\pitask.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\piutil.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\piwa.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\sbox9.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\stv9.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\workssvc.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\1033\dwintl.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\1033\pieres.dll
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\1033\pitres.dll
C:\Documents and Settings\Erin\Desktop\cwshredder.exe
C:\Documents and Settings\Erin\Desktop\DE1530ADV.EXE
C:\Documents and Settings\Erin\Desktop\HeliconFilter3.10Free.exe
C:\Documents and Settings\Erin\Desktop\msgr8us.exe
C:\Documents and Settings\Erin\Desktop\OOo_2.0.4_Win32Intel_install.exe
C:\Documents and Settings\Erin\Desktop\spybotsd14.exe
C:\Documents and Settings\Erin\Desktop\OpenOffice.org 2.0 Installation Files\instmsia.exe
C:\Documents and Settings\Erin\Desktop\OpenOffice.org 2.0 Installation Files\instmsiw.exe
C:\Documents and Settings\Erin\Desktop\OpenOffice.org 2.0 Installation Files\setup.exe
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\dw15.exe
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\pi.exe
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\pip.exe
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\dw15.exe
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\pi.exe
C:\Documents and Settings\Erin\My Documents\Microsoft Picture It! 9\Microsoft Picture It! 9\pip.exe
C:\Documents and Settings\Erin\Application Data\OpenOffice.org2\user\registry\cache\org.openoffice.System.dat
C:\Documents and Settings\Erin\Local Settings\Application Data\RcIncidents\RC10.tmp
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOgen.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOgen1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOgen2.zip

Finished
______________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 8:13:36 PM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\Erin\Desktop\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thank you -

Erin

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 04 May 2007 - 01:37 AM

What do you know about the following file in your Desktop?

C:\Documents and Settings\Erin\Desktop\DE1530ADV.EXE

Let me know in your next post if you know anything. I'd also like a little bit of information as to how your computer seems to be running now.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 clueless in kansas

clueless in kansas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 04 May 2007 - 05:57 AM

Good morning Charles!

The file you inquired about, C:\Documents and Settings\Erin\Desktop\DE1530ADV.EXE, has now been removed. It was a 'new free browser' that I intended to try out, but have decided not to do so.

My system is running 'fine' now or so it appears. It's back to normal, and I've done some other clean up. When I started this process, it was a mess and there were tons of 'trojan' files lurking around. I don't see them anymore, but am gun-shy.

Do you think I'm clear now? And, what can I do to avoid a 'reinfection'? I appreciate the speedy efforts with my system...

Erin :flowers: :thumbsup:

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 04 May 2007 - 09:16 AM

I think we've got rid of it all. Great job! Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

Set your system to not show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing and running the following free programs:
Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 clueless in kansas

clueless in kansas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 04 May 2007 - 06:19 PM

Thank you Charles - you've been fantastic! I've got to dash off to a ball tourney for the weekend, but will follow your advice when I boot back up!

By way of referral, I've given the link of this great site to another forum I belong to. It has almost 7,000 members, most smarter than I with technology.

Have a marvelous weekend and will send a donate when I get a PP balance!!! :thumbsup: :flowers:

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 05 May 2007 - 02:01 AM

Thank you very much for the kind words :thumbsup:
I hope you have a great weekend!

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 21 May 2007 - 06:20 AM

Since this issue appears to be resolved, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users